14 DAY TRIAL // Trusteer experts have come across an underground hacking forum on which they’ve found tutorials that detail how the fraud detection systems set in place by financial and e-commerce providers can be circumvented.
The anti-fraud mechanisms usually fingerprint a device in order to identify signs of misuse. They collect data such as IP address, web browser type and version, and operating system details.
If, for instance, too many orders are placed from one machine, but from multiple user accounts, alarm bells are set off and the transaction is blocked.
However, as the researchers have found, cybercriminals have come up with ways of bypassing the system.
First, the tutorial recommends the use of virtual private networks (VPN) and proxy services that can easily hide the IP addresses of the machines utilized by the fraudsters.
They’re also taught on how to make the system incorrectly read the “fingerprints”, making it believe that different computers with different browsers and operating systems have been used to make various transactions, even though everything is done from a single device.
While this may sound complicated, it really isn’t. The piece of software that performs the task is freely available for download, achieving its objectives simply by manipulating the information in the web browser’s User-Agent header.
On the other hand, Trusteer’s CTO Amit Klein warns that fingerprinting solutions that rely only on User-Agent data are not 100% accurate because they can be easily tricked.
“This tutorial demonstrates that cybercriminals have achieved a sophisticated level of understanding of device fingerprinting techniques and are exploiting this knowledge to evade fraud prevention systems that rely on the browser's User-Agent header to detect cybercrime,” Klein explains.
“It is also a call to action for merchants and financial institutions that use device fingerprinting. They should make sure their solutions are collecting device information from a tamper-proof source.”